Here are a few notes:
Below is the only requirement to access the XML API:
class-map type management match-any REMOTE_MANAGEMENT_CLASS
6 match protocol telnet any
7 match protocol ssh any
8 match protocol icmp any
9 match protocol http any
10 match protocol https any <--- this one permits access to the XML API
policy-map type management first-match REMOTE_MANAGEMENT_POLICY
interface vlan 640
ip address 10.10.40.97 255.255.255.0
access-group input ANYONE
service-policy input REMOTE_MANAGEMENT_POLICY
Notice that in your curl statement, you are using http instead of https. The XML API uses HTTPS.
The user you use should be configured on the ACE.
If possible, I would recommend upgrading to A2(2.4) or A2(3.1), as the code you are running is old. This is not related to your XML API issue, however.